Star Health and Allied Insurance, one of the largest health insurance firms in India, has confirmed it was the target of a “malicious cyberattack,” some two weeks after cybercriminals claimed to post customers’ health records and other sensitive data online.
The Chennai-headquartered insurance giant told TechCrunch in a statement Wednesday that the cyberattack resulted in “unauthorized and illegal access to certain data,” though it stated its operations remained unaffected and services continued.
“A thorough and rigorous forensic investigation, led by independent cybersecurity experts, is underway, and we are working closely with government and regulatory authorities at every stage of this investigation, including by duly reporting the incident to the insurance and cybersecurity regulatory authorities apart from filing a criminal complaint,” the company said in its statement.
When asked by TechCrunch, Star Health would not say if the data breach included customers’ data.
Last month, a hacker group created chatbots on Telegram that leaked the alleged personal data belonging to 31 million Star Health policyholders and over 5.8 million insurance claims. The data included full names, phone numbers, and home addresses, as well as medical reports and insurance claims of individuals. The hackers also shared copies of customer ID cards and individuals’ tax details.
Star Health told TechCrunch at the time that the company was “investigating” the alleged theft.
Shortly after the hackers’ Telegram bots came to light, Star Health filed a legal complaint with the Madras High Court against Telegram for hosting the chatbots. The insurer also named Cloudflare in its lawsuit for its role in hosting the hacker group’s websites on its service.
India’s CERT-In told TechCrunch earlier that it was “already in process of taking appropriate action with the concerned authority.”
Details of the breach, and how the hackers obtained potentially millions of customers’ data, remain unclear.
The hackers’ website, used to publicize the Telegram bots sharing the allegedly stolen person data, includes a video allegedly showing screenshots and conversations between Star Health CISO Amarjeet Khanuja and the hacker group. TechCrunch is not linking to the site as it contains personally identifiable information.
The role of the company’s CISO in the cyberattack, if at all, is not yet known.
“We also want to categorically mention that our CISO has been duly co-operating in the investigation, and we have not arrived at any finding of wrongdoing by him till date. We request that his privacy be respected as we know that the threat actor is trying to create panic,” the insurer said Wednesday.
TechCrunch asked specific questions, including whether the insurer can confirm who accessed the data, whether it was an insider or a malicious intruder, and if it knows and can confirm what has been accessed or taken already. The insurer would not say.
Star Health, which provides health, personal accident, and overseas and travel insurance, has a network of more than 14,000 hospitals and over 850 branch offices across India. Star Health says on its website that it has provided health insurance coverage to 170 million individuals.
